X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/79b9da22a1f4b26279940d285c1bc28ce4e99252..bf028f67fd3bb2266df81b80fb6f25a77112e308:/OSX/libsecurity_codesigning/lib/StaticCode.cpp?ds=inline

diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.cpp b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
index 7458d53b..2d5a3e90 100644
--- a/OSX/libsecurity_codesigning/lib/StaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
@@ -358,6 +358,9 @@ void SecStaticCode::resetValidity()
 	mGotResourceBase = false;
 	mTrust = NULL;
 	mCertChain = NULL;
+	mNotarizationChecked = false;
+	mStaplingChecked = false;
+	mNotarizationDate = NAN;
 #if TARGET_OS_OSX
 	mEvalDetails = NULL;
 #endif
@@ -548,6 +551,26 @@ CFArrayRef SecStaticCode::cdHashes()
 	return mCDHashes;
 }
 
+//
+// Get a dictionary of untruncated cdhashes for all digest types in this signature.
+//
+CFDictionaryRef SecStaticCode::cdHashesFull()
+{
+	if (!mCDHashFullDict) {
+		CFRef<CFMutableDictionaryRef> cdDict = makeCFMutableDictionary();
+		for (auto const &it : mCodeDirectories) {
+			CodeDirectory::HashAlgorithm alg = it.first;
+			const CodeDirectory *cd = (const CodeDirectory *)CFDataGetBytePtr(it.second);
+			CFRef<CFDataRef> hash = cd->cdhash(false);
+			if (hash) {
+				CFDictionaryAddValue(cdDict, CFTempNumber(alg), hash);
+			}
+		}
+		mCDHashFullDict = cdDict.get();
+	}
+	return mCDHashFullDict;
+}
+
 
 //
 // Return the CMS signature blob; NULL if none found.
@@ -1220,7 +1243,9 @@ void SecStaticCode::validateResources(SecCSFlags flags)
 
 	if (doit) {
 		if (mLimitedAsync == NULL) {
-			mLimitedAsync = new LimitedAsync(diskRep()->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey);
+			bool runMultiThreaded = ((flags & kSecCSSingleThreaded) == kSecCSSingleThreaded) ? false :
+					(diskRep()->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey);
+			mLimitedAsync = new LimitedAsync(runMultiThreaded);
 		}
 
 		try {
@@ -1875,6 +1900,10 @@ const Requirement *SecStaticCode::defaultDesignatedRequirement()
 #if TARGET_OS_OSX
 		// full signature: Gin up full context and let DRMaker do its thing
 		validateDirectory();		// need the cert chain
+		CFRef<CFDateRef> secureTimestamp;
+		if (CFAbsoluteTime time = this->signingTimestamp()) {
+			secureTimestamp.take(CFDateCreate(NULL, time));
+		}
 		Requirement::Context context(this->certificates(),
 			this->infoDictionary(),
 			this->entitlements(),
@@ -1882,7 +1911,9 @@ const Requirement *SecStaticCode::defaultDesignatedRequirement()
 			this->codeDirectory(),
 			NULL,
 			kSecCodeSignatureNoHash,
-			false
+			false,
+			secureTimestamp,
+			this->teamID()
 		);
 		return DRMaker(context).make();
 #else
@@ -1915,7 +1946,15 @@ bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failur
 	bool result = false;
 	assert(req);
 	validateDirectory();
-	result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory(), NULL, kSecCodeSignatureNoHash, mRep->appleInternalForcePlatform()), failure);
+	CFRef<CFDateRef> secureTimestamp;
+	if (CFAbsoluteTime time = this->signingTimestamp()) {
+		secureTimestamp.take(CFDateCreate(NULL, time));
+	}
+	result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(),
+												 codeDirectory()->identifier(), codeDirectory(),
+												 NULL, kSecCodeSignatureNoHash, mRep->appleInternalForcePlatform(),
+												 secureTimestamp, teamID()),
+							failure);
 	return result;
 }
 
@@ -1984,6 +2023,7 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
 	CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource()));
 	CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash());
 	CFDictionaryAddValue(dict, kSecCodeInfoCdHashes, this->cdHashes());
+	CFDictionaryAddValue(dict, kSecCodeInfoCdHashesFull, this->cdHashesFull());
 	const CodeDirectory* cd = this->codeDirectory(false);
 	CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(cd->hashType));
 	CFRef<CFArrayRef> digests = makeCFArrayFrom(^CFTypeRef(CodeDirectory::HashAlgorithm type) { return CFTempNumber(type); }, hashAlgorithms());
@@ -2085,6 +2125,16 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
 		}
 	}
 
+	if (flags & kSecCSCalculateCMSDigest) {
+		try {
+			CFDictionaryAddValue(dict, kSecCodeInfoCMSDigestHashType, CFTempNumber(cmsDigestHashType()));
+			
+			CFRef<CFDataRef> cmsDigest = createCmsDigest();
+			if (cmsDigest) {
+				CFDictionaryAddValue(dict, kSecCodeInfoCMSDigest, cmsDigest.get());
+			}
+		} catch (...) { }
+	}
 
 	//
 	// kSecCSContentInformation adds more information about the physical layout
@@ -2202,9 +2252,12 @@ void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req)
 		this->validateResources(flags);
 
 	// perform strict validation if desired
-	if (flags & kSecCSStrictValidate)
+	if (flags & kSecCSStrictValidate) {
 		mRep->strictValidate(codeDirectory(), mTolerateErrors, mValidationFlags);
 	reportProgress();
+	} else if (flags & kSecCSStrictValidateStructure) {
+		mRep->strictValidateStructure(codeDirectory(), mTolerateErrors, mValidationFlags);
+	}
 
 	// allow monitor intervention
 	if (CFRef<CFTypeRef> veto = reportEvent(CFSTR("validated"), NULL)) {
@@ -2290,10 +2343,35 @@ bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs)
 {
 	static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")";
 	SecPointer<SecRequirement> req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true);
-	Requirement::Context ctx(certs, NULL, NULL, "", NULL, NULL, kSecCodeSignatureNoHash, false);
+	Requirement::Context ctx(certs, NULL, NULL, "", NULL, NULL, kSecCodeSignatureNoHash, false, NULL, "");
 
 	return req->requirement()->validates(ctx);
 }
 
+CFDataRef SecStaticCode::createCmsDigest()
+{
+	/*
+	 * The CMS digest is a hash of the primary (first, most compatible) code directory,
+	 * but its hash algorithm is fixed and not related to the code directory's
+	 * hash algorithm.
+	 */
+	
+	auto it = codeDirectories()->begin();
+	
+	if (it == codeDirectories()->end()) {
+		return NULL;
+	}
+
+	CodeDirectory const * const cd = reinterpret_cast<CodeDirectory const*>(CFDataGetBytePtr(it->second));
+	
+	RefPointer<DynamicHash> hash = cd->hashFor(mCMSDigestHashType);
+	CFMutableDataRef data = CFDataCreateMutable(NULL, hash->digestLength());
+	CFDataSetLength(data, hash->digestLength());
+	hash->update(cd, cd->length());
+	hash->finish(CFDataGetMutableBytePtr(data));
+	
+	return data;
+}
+	
 } // end namespace CodeSigning
 } // end namespace Security